Open roywill opened 1 month ago
Are we asserting that the authentication identity to the end point is the identity to sign the content with?
This should be clarified/specified indeed.
Given the context of this endpoint being environments that can't sign their own Statements, the credential can't be 1:1 equivalent to an Issuer at a deep technical/cryptographic level. Therefore some logic has to be applied in the endpoint to convert the authenticated API client into a SCITT Issuer.
Given that, it seems reasonable to leave it fairly open, for example by adding:
"
This language is slightly sloppy but YKWIM.
The example in https://ietf-wg-scitt.github.io/draft-ietf-scitt-scrapi/draft-ietf-scitt-scrapi.html#section-2.2.1 should be updated to not be a W3C credential
Are we asserting that the authentication identity to the end point is the identity to sign the content with? I think we need to clarify that this can be completely different. I do question why we need to specify a validFrom date?